Vulnerability Description
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Date | < 2.0.1 |
| Ruby-Lang | Ruby | >= 2.6.0, < 2.6.9 |
| Redhat | Software Collections | - |
| Redhat | Enterprise Linux | 7.0 |
| Fedoraproject | Fedora | 34 |
| Debian | Debian Linux | 9.0 |
| Suse | Linux Enterprise | 12.0 |
| Opensuse | Factory | - |
| Opensuse | Leap | 15.2 |
Related Weaknesses (CWE)
References
- https://hackerone.com/reports/1254844Permissions Required
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202401-27
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-ExploitVendor Advisory
- https://hackerone.com/reports/1254844Permissions Required
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202401-27
- https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-ExploitVendor Advisory
FAQ
What is CVE-2021-41817?
CVE-2021-41817 is a vulnerability with a CVSS score of 7.5 (HIGH). Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
How severe is CVE-2021-41817?
CVE-2021-41817 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41817?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Date, Ruby-Lang Ruby, Redhat Software Collections, Redhat Enterprise Linux, Fedoraproject Fedora.